Add support for magic cipher suite value (MCSV). Make secure renegotiation

[openssl.git] / ssl / t1_lib.c

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c311952dad46e24c6bc8b8412a147b3e1abca61d..e5f1ca8e0f0818105dad1484238b1bb2b3d387cc 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -275,8 +275,9 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
-       /* don't add extensions for SSLv3 */
-       if (s->client_version == SSL3_VERSION)
+       /* don't add extensions for SSLv3 unless doing secure renegotiation */
+       if (s->client_version == SSL3_VERSION
+                                       && !s->s3->send_connection_binding)
                return p;
 
        ret+=2;
@@ -504,8 +505,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
        int extdatalen=0;
        unsigned char *ret = p;
 
-       /* don't add extensions for SSLv3 */
-       if (s->version == SSL3_VERSION)
+       /* don't add extensions for SSLv3, unless doing secure renegotiation */
+       if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
                return p;
        
        ret+=2;
@@ -633,7 +634,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
        s->servername_done = 0;
        s->tlsext_status_type = -1;
-       s->s3->send_connection_binding = 0;
 
        if (data >= (d+n-2))
                {